A new scamming method has been making the rounds on the internet and has caused alarm over the use of smartphones, as thieves have apparently devised a new way of stealing PIN codes in seconds using a thermal camera. Researchers said that android users, who use finger-drawn patterns to unlock phones, are the most susceptible to this theft. “PINs and patterns remain among the most widely used knowledge-based authentication schemes. As thermal cameras become ubiquitous and affordable, we foresee a new form of threat to user privacy on mobile devices,” researchers stated.

Researchers at the University of Stuttgart and the Ludwig Maximilian University in Germany revealed that a thief armed with a thermal camera could easily snap a photo of a user’s smartphone and decode the PIN using the user’s own heat signature. The researchers have created a six-step technique to better understand how the new scamming method works.

Decoding the modus: This is how scammers can steal your PIN

First, a thermal camera is set in place to measure heat signatures between 19 degrees Celsius to 32 degrees Celsius. The thermal camera is then used to take a snapshot of a smartphone’s screen. Next, software is used to convert the snapshot into a grayscale image with reduced background noise. Then, a two-way process – removing the background and retaining only the heat traces left by the user – is used to detect the PIN, usually appearing as one to four circles.

This is pretty similar to smudge attack, but a bit more sophisticated and complex. Heat traces retained on the smartphone screen give off different temperatures, giving thieves an insight on the PIN. The first digit entered on the smartphone would be the coolest, while the last one being the hottest. Analyzing the heat pattern is an instant giveaway for scammers.

Researchers said applying this process reveals a user’s PIN 90 percent of the time if the thermal image was taken within 15 seconds. However, the method’s accuracy drops to 80 percent if the image was taken after 30 seconds, and further decreases to 35 percent and below if the image was taken after 45 seconds or more. Experts also found that using the same technique can reveal an Android user’s finger-drawn pattern 100 percent of the time if the thermal image was taken within 30 seconds.

Experts said several techniques, such as placing the hand over the screen to create a pattern of random heat spots, may help deter an attack in the future. “However, there are different procedures that decrease the success rate of thermal attacks without involving the user. For example, increasing the brightness of the display to the maximum for a few seconds heats up the display temperature and, thus, reduces the time thermal traces are visible. Similarly, running computationally heavy processes on the phone quickly heats the phone up, resulting in a similar effect,” researchers said.

Android users may use an overlapping finger-drawn pattern to help reduce the risk of falling victim to this scam, researchers added. The findings are slated for presentation at the ACM CHI Conference on Human Factors in Computing Systems.

Another scam on the rise

Today’s ever-expanding smartphone landscape has given rise to some of the most sophisticated scamming methods that pose a great threat to millions of smartphone users worldwide. Another scamming method, the QRishing, is a form of Phishing that involves the use of QR codes. These are the little black-and-white square images seen in magazines, newspapers and the like. This scamming method uses a socially engineered bait — such as a discount voucher — to make curious victims scan the code. QRishing is used to steal personal information for monetary purposes.